Preauthentication failures without requires_preauth

Darren Reed (Optimation) darrenr at
Tue Nov 19 02:50:01 EST 2002

If a client sends a TGT request with invalud preauthenticated
data, will a valid TGS response be sent back if requires_preauth
is not sent for the principal concerned (ie. the password used
to create the preauthenticated data is incorrect) ?

Following on from this, is there an "easy" way to set this flag
(requires_preauth) on all entries in the kdc ?  Can I dump the
database out, set requires_preauth in kdc.conf, nuke the kdc
db, recreate it and load with kdb5_util, resulting in the flag now
being set on all principals ?  I know I can write a script to do
this, just looking at other alternatives.


More information about the krbdev mailing list